From d1d621120fe2dd5c08a4cc3884c9009bb55629a1 Mon Sep 17 00:00:00 2001
From: Kornel <kornel@cloudflare.com>
Date: Fri, 16 Jan 2026 17:28:34 +0000
Subject: [PATCH 1/6] Include err.h in FFI bindings

---
 boring-sys/build/main.rs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/boring-sys/build/main.rs b/boring-sys/build/main.rs
index 06a30d1fe..5879ede4b 100644
--- a/boring-sys/build/main.rs
+++ b/boring-sys/build/main.rs
@@ -784,6 +784,7 @@ fn generate_bindings(config: &Config) {
         "curve25519.h",
         "des.h",
         "dtls1.h",
+        "err.h",
         "hkdf.h",
         #[cfg(not(feature = "fips"))]
         "hpke.h",

From d525c204fe08e119b30ffda245bac5d05e0d99a0 Mon Sep 17 00:00:00 2001
From: Kornel <kornel@cloudflare.com>
Date: Mon, 19 Jan 2026 22:41:46 +0000
Subject: [PATCH 2/6] Use fips-build-compatible ERR_add_error_data

---
 boring/src/error.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/boring/src/error.rs b/boring/src/error.rs
index 5c1ad40bb..04815863d 100644
--- a/boring/src/error.rs
+++ b/boring/src/error.rs
@@ -183,7 +183,7 @@ impl Error {
                 self.line,
             );
             if let Some(cstr) = self.data_cstr() {
-                ffi::ERR_set_error_data(cstr.as_ptr().cast_mut(), ffi::ERR_FLAG_STRING);
+                ffi::ERR_add_error_data(1, cstr.as_ptr().cast_mut());
             }
         }
     }

From d8da9e8d8b02675a3bcff02b7d618a18b6ad8fbb Mon Sep 17 00:00:00 2001
From: Kornel <kornel@cloudflare.com>
Date: Wed, 10 Dec 2025 15:33:54 +0000
Subject: [PATCH 3/6] Can't cross-build with clang-12 due to libc++ mismatch

---
 .github/workflows/ci.yml | 39 ---------------------------------------
 1 file changed, 39 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a8f170856..5667e95a5 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -306,45 +306,6 @@ jobs:
     - name: Build for ${{ matrix.target }}
       run: cargo build --target ${{ matrix.target }} --all-targets
 
-  cross-build-fips:
-    name: Cross build from macOS to Linux (FIPS)
-    runs-on: macos-13 # Need an Intel (x86_64) runner for Clang 12.0.0
-    strategy:
-      matrix:
-        include:
-          - target: x86_64-unknown-linux-gnu
-    steps:
-    - uses: actions/checkout@v4
-      with:
-        submodules: 'recursive'
-    - name: Install Rust (rustup)
-      run: rustup update stable --no-self-update && rustup default stable && rustup target add ${{ matrix.target }}
-      shell: bash
-    - name: Install golang
-      uses: actions/setup-go@v5
-      with:
-        go-version: '>=1.22.0'
-    - name: Install ${{ matrix.target }} toolchain
-      run: brew tap messense/macos-cross-toolchains && brew install ${{ matrix.target }} && brew link x86_64-unknown-linux-gnu
-    - name: Install Clang-12
-      uses: KyleMayes/install-llvm-action@v1
-      with:
-        version: "12.0.0"
-        directory: ${{ runner.temp }}/llvm
-    - name: Add clang++-12 link
-      working-directory: ${{ runner.temp }}/llvm/bin
-      run: ln -s clang++ clang++-12
-    - name: Set BORING_BSSL_FIPS_COMPILER_EXTERNAL_TOOLCHAIN
-      run: echo "BORING_BSSL_FIPS_COMPILER_EXTERNAL_TOOLCHAIN=$(brew --prefix ${{ matrix.target }})/toolchain" >> $GITHUB_ENV
-      shell: bash
-    - name: Set BORING_BSSL_FIPS_SYSROOT
-      run: echo "BORING_BSSL_FIPS_SYSROOT=$BORING_BSSL_FIPS_COMPILER_EXTERNAL_TOOLCHAIN/${{ matrix.target }}/sysroot" >> $GITHUB_ENV
-      shell: bash
-    - name: Set CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_LINKER
-      run: echo "CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_LINKER=${{ matrix.target }}-gcc" >> $GITHUB_ENV
-    - name: Build for ${{ matrix.target }}
-      run: cargo build --target ${{ matrix.target }} --all-targets --features fips
-
   test-features:
     name: Test features
     runs-on: ubuntu-latest

From 5164358798017076414c6c2a00e7015833d16e85 Mon Sep 17 00:00:00 2001
From: Kornel <kornel@cloudflare.com>
Date: Mon, 19 Jan 2026 22:31:45 +0000
Subject: [PATCH 4/6] Fix deprecated call

---
 boring/src/ssl/mod.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/boring/src/ssl/mod.rs b/boring/src/ssl/mod.rs
index fe4bf0784..a697cdc37 100644
--- a/boring/src/ssl/mod.rs
+++ b/boring/src/ssl/mod.rs
@@ -1039,7 +1039,7 @@ impl SslContextBuilder {
             has_shared_cert_store: false,
         };
 
-        builder.set_ex_data(*RPK_FLAG_INDEX, is_rpk);
+        builder.replace_ex_data(*RPK_FLAG_INDEX, is_rpk);
 
         builder
     }

From e77531ee4f232839aa56460a2e3e08b5f52e4364 Mon Sep 17 00:00:00 2001
From: Kornel <kornel@cloudflare.com>
Date: Fri, 16 Jan 2026 16:45:48 +0000
Subject: [PATCH 5/6] Fix boring-sys minimum version

Fixes #436
---
 Cargo.toml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index eb99271d6..91b6b54b8 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -19,9 +19,9 @@ tag-prefix = ""
 publish = false
 
 [workspace.dependencies]
-boring-sys = { version = "4.19.0", path = "./boring-sys" }
-boring = { version = "4.19.0", path = "./boring" }
-tokio-boring = { version = "4.19.0", path = "./tokio-boring" }
+boring-sys = { version = "4.20.0", path = "./boring-sys" }
+boring = { version = "4.20.0", path = "./boring" }
+tokio-boring = { version = "4.20.0", path = "./tokio-boring" }
 
 bindgen = { version = "0.72.0", default-features = false, features = ["runtime"] }
 bitflags = "2.9"

From e6bba4448c7316c3b2cbfdf1a99506f05b8eeb7a Mon Sep 17 00:00:00 2001
From: Kornel <kornel@cloudflare.com>
Date: Fri, 16 Jan 2026 16:42:11 +0000
Subject: [PATCH 6/6] Ensure dependency requirements are bumped

#436
---
 .github/workflows/ci.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 5667e95a5..3591e10cd 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -4,6 +4,7 @@ on:
   pull_request:
     branches:
       - master
+      - v4.x
   push:
     branches:
       - master
@@ -63,6 +64,15 @@ jobs:
         run: cargo doc --no-deps -p boring -p boring-sys --features rpk,pq-experimental,underscore-wildcards
         env:
           DOCS_RS: 1
+      - name: Cargo.toml boring versions consistency
+        shell: bash
+        run: |
+          WORKSPACE_VERSION=$(grep -F '[workspace.package]' -A1 Cargo.toml | grep -F version | grep -Eo '".*"')
+          if [[ -z "$WORKSPACE_VERSION" ]]; then echo 2>&1 "error: can't find boring version"; exit 1; fi
+          if grep -E 'boring.* =' Cargo.toml | grep -vF "$WORKSPACE_VERSION"; then
+            echo 2>&1 "error: boring dependencies must match workspace version $WORKSPACE_VERSION"
+            exit 1
+          fi
   test:
     name: Test
     runs-on: ${{ matrix.os }}